ArticlePDF Available

Unbalanced Oil and Vinegar Signature Schemes

January 2000

Authors:

Versailles Saint-Quentin-en-Yvelines University

In [15], J. Patarin designed a new scheme, called "Oil and Vinegar", for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n unknowns called "oil" and v = n unknowns called "vinegar" over a finite field K, with linear secret functions. This original scheme was broken in [9] by A. Kipnis and A. Shamir. In this paper, we study some very simple variations of the original scheme where v ? n (instead of v = n). These schemes are called "Unbalanced Oil and Vinegar" (UOV), since we have more "vinegar" unknowns than "oil" unknowns. We show that, when v ' n, the attack of [9] can be extended, but when v 2n for example, the security of the scheme is still an open problem. Moreover, when v ' n 2 2 , the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solvi...

Content uploaded by Louis Goubin

Content may be subject to copyright.

A New Cryptanalysis Against UOV-based Variants MAYO, QR-UOV and VOX

Article

Sep 2024

Multivariate public-key cryptography (MPKC) is considered as one of the main candidates for post-quantum cryptography (PQC). In MPKC, the MinRank attacks, which try to solve the MinRank problem obtained from a public key, are important since a lot of multivariate schemes are broken by these attacks. Among them, the rectangular MinRank attack was recently proposed for the Rainbow scheme by Beullens, and it tries to solve a new kind of MinRank problem obtained by transforming the public key of Rainbow. Due to this attack, it is known that the security level of Rainbow was reduced. Rainbow is a multi-layered variant of the UOV scheme, and UOV is considered having a resistance to all MinRank attacks since its public key consists of full rank matrices. Recently, there have been submitted three new variants of the UOV scheme having a small public key, MAYO, QR-UOV and VOX in the NIST PQC standardization of additional digital signature schemes. In this paper, we show that the rectangular MinRank attack is applicable to MAYO, QR-UOV and VOX. Moreover, we estimate the complexity of the attack. In particular, we report that all the parameter sets of VOX submitted to NIST PQC standardization are broken in at most 2⁵⁵ gate operations.

Quantum-resistant blockchain and performance analysis

Article

Full-text available

Feb 2025
J SUPERCOMPUT

Blockchain technology enables secure information and value exchange in untrusted environments by integrating cryptographic techniques such as public–private key cryptography, hash algorithms, and consensus mechanisms. It is poised to become a foundational technology for the future Internet of Value. However, the security of current mainstream blockchains relies on asymmetric encryption algorithms that are vulnerable to quantum attacks, as their security depends on the computational difficulty of solving number-theoretic problems like integer factorization and discrete logarithms in classical computing models. This paper investigates quantum-resistant blockchain technologies to address these vulnerabilities. First, it analyzes the susceptibility of existing blockchain systems to quantum attacks at multiple levels, including signature algorithms, TLS layer data exchange, consensus mechanisms, and privacy protection. Second, it provides a comprehensive comparison of promising quantum-resistant signature and key encapsulation algorithms, evaluating their characteristics and performance in terms of resource utilization, key size, and other critical metrics. Building on this analysis, the paper proposes a general framework for measuring performance indicators of quantum-resistant blockchains and suggests optimization methods to enhance system performance, focusing on aspects such as block size and consensus mechanisms. Additionally, a multidimensional comparative analysis of existing quantum-resistant blockchain solutions is presented. This work highlights the challenges in achieving quantum resistance for blockchain systems and offers valuable insights and guidance for researchers designing quantum-resistant blockchain solutions and optimizing their performance.

Linkable ring signature scheme based on multivariate polynomial over finite field

Article

Jan 2024
ADV MATH COMMUN

Admissible parameters for the Crossbred algorithm and semi-regular sequences over finite fields

Article

Full-text available

Mar 2025
DESIGN CODE CRYPTOGR

Multivariate public key cryptography (MPKC) is one of the most promising alternatives to build quantum-resistant signature schemes, as evidenced in NIST’s call for additional post-quantum signature schemes. The main assumption in MPKC is the hardness of the Multivariate Quadratic (MQ) problem, which seeks for a common root to a system of quadratic polynomials over a finite field. Although the Crossbred algorithm is among the most efficient algorithms to solve MQ over small fields, its complexity analysis stands on shaky ground. In particular, it is not clear for what parameters it works and under what assumptions. In this work, we provide a rigorous analysis of the Crossbred algorithm over any finite field. We provide a complete explanation of the series of admissible parameters proposed in previous literature and explicitly state the regularity assumptions required for its validity. Moreover, we show that the series does not tell the whole story, hence we propose an additional condition for Crossbred to work. Additionally, we define and characterize a notion of regularity for systems over a small field, which is one of the main building blocks in the series of admissible parameters.

Evolution of Cryptographic Techniques: Overview of the Existing Approaches and Trends of the Development

Article

Full-text available

Jul 2022

Noman Abid

Cryptography remains to be one of the oldest and indispensable principles of today's information protection disciplines because it gives indispensable tools for protecting content and messages during the communicational and data transferring actions. This review surveys extant research on possible cryptographic methods and their applications in different fields comprising of conventional key-based and new-complexity key based cryptography, cryptography based on Block chain, Homomorphic Cryptography, Post Quantum Cryptography and other types of cryptography. New complicated threats, emergence of Quantum computing, AI, block chain, and 5G, IoT are posing new threats and challenges and opportunities in cryptography. In this paper, some of these areas to key issues include: problems such as vulnerability of the traditional cryptographic system to brute force attacks, the impact of new developments in quantum computing to current encryption security systems, and the problem of key management, and side channel attacks. This article addresses how cryptography is used in protecting emerging technologies such as how light weight cryptography is incorporated to IoT peripherals, how works cryptography is applied to block chain or crypto currencies, and artificial intelligence systems. While with the arrival of quantum computing capable of threatening the security of classical cryptographic methods, the focus of the cryptographic community shifts to post quantum options like QKD and lattices. The next section of the review also talks about directions for future development direction of cryptography, and emphasizes the importance of creating new cryptographic algorithm that caters for the demand of scalability efficient and security to meet the increasing development in technologies. Cryptology is still needed for protection of relevant information and for proving secure communication for the age of integrated and computer-oriented society. The further evolution of intricate cryptographic methods and their integration into the advanced technologies is useful to combat new threats and guarantee safety of information that is to be necessary in the following years.

Quantum Advantage via Solving Multivariate Quadratics

Preprint

Full-text available

Nov 2024

In this work, we propose a new way to (non-interactively, verifiably) demonstrate Quantum Advantage by solving the average-case

\mathsf{NP}

search problem of finding a solution to a system of (underdetermined) multivariate quadratic equations over the finite field

\mathbb{F}_2

drawn from a specified distribution. In particular, we design a distribution of degree-2 polynomials

\{p_i(x_1,\ldots,x_n)\}_{i\in [m]}

for

m<n

over

\mathbb{F}_2

for which we show that there is a quantum polynomial-time algorithm that simultaneously solves

\{p_i(x_1,\ldots,x_n)=y_i\}_{i\in [m]}

for a random vector

(y_1,\ldots,y_m)

. On the other hand, while a solution exists with high probability, we conjecture that it is classically hard to find one based on classical cryptanalysis that we provide, including a comprehensive review of all known relevant classical algorithms for solving multivariate quadratics. Our approach proceeds by examining the Yamakawa-Zhandry (FOCS 2022) quantum advantage scheme and replacing the role of the random oracle with our multivariate quadratic equations. Our work therefore gives several new perspectives: First, our algorithm gives a counterexample to the conventional belief that generic classically hard multivariate quadratic systems are also quantumly hard. Second, based on cryptanalytic evidence, our work gives an explicit simple replacement for the random oracle from the work of Yamakawa and Zhandry. We show how to instantiate the random oracle with families of just degree two multivariate polynomials over

\mathbb{F}_2

Security Analysis of Reusing Vinegar Values in UOV Signature Scheme

Article

Full-text available

Jan 2024

Multivariate quadratic equation-based cryptographic algorithms are one of the promising post-quantum alternatives to current public-key cryptographic algorithms based on the discrete logarithm problem and the integer factorization problem. In this paper, we provide advanced security analysis of UOV, a well-known signature scheme based on the multivariate quadratic equations, when Vinegar values are reused in signing for efficiency. We determine the minimum number of signatures generated by the reused Vinegar values required for UOV secret key recovery. More precisely, it is enough ⌈ v /0⌉ + 1 signatures to recover the secret key in polynomial-time. According to our experimental results, we can recover the secret key of UOV from only three signatures generated by the reused Vinegar values in 72 ms, 498 ms and 1,527 ms on a desktop at the 128-bit, 192-bit and 256-bit security levels, respectively.

A new multivariate primitive from CCZ equivalence

Preprint

Full-text available

May 2024

Multivariate Cryptography is one of the main candidates for Post-quantum Cryptography. Multivariate schemes are usually constructed by applying two secret affine invertible transformations

\mathcal S,\mathcal T

to a set of multivariate polynomials

\mathcal{F}

(often quadratic). The secret polynomials

\mathcal{F}

posses a trapdoor that allows the legitimate user to find a solution of the corresponding system, while the public polynomials

\mathcal G=\mathcal S\circ\mathcal F\circ\mathcal T

look like random polynomials. The polynomials

\mathcal G

and

\mathcal F

are said to be affine equivalent. In this article, we present a more general way of constructing a multivariate scheme by considering the CCZ equivalence, which has been introduced and studied in the context of vectorial Boolean functions.

A Multivariate Convertible Undeniable Signature Scheme

Article

Feb 2025

A Survey and Comparison of Post-quantum and Quantum Blockchains

Preprint

Full-text available

Sep 2024

Blockchains have gained substantial attention from academia and industry for their ability to facilitate decentralized trust and communications. However, the rapid progress of quantum computing poses a significant threat to the security of existing blockchain technologies. Notably, the emergence of Shor's and Grover's algorithms raises concerns regarding the compromise of the cryptographic systems underlying blockchains. Consequently, it is essential to develop methods that reinforce blockchain technology against quantum attacks. In response to this challenge, two distinct approaches have been proposed. The first approach involves post-quantum blockchains, which aim to utilize classical cryptographic algorithms resilient to quantum attacks. The second approach explores quantum blockchains, which leverage the power of quantum computers and networks to rebuild the foundations of blockchains. This paper aims to provide a comprehensive overview and comparison of post-quantum and quantum blockchains while exploring open questions and remaining challenges in these domains. It offers an in-depth introduction, examines differences in blockchain structure, security, privacy, and other key factors, and concludes by discussing current research trends.

Analysis of a Public Key Approach Based on Polynomial Substitution

Conference Paper

Full-text available

Aug 1985

We set out to build a public key cryptosystem by repeatedly substituting for variables in multivariate polynomials and simplifying the results to conceal the substitution process. There seems, however, to be no way to build such a system that is both secure and has a public key of practical size when the devices used to limit the number of coefficeints are nilpotence and J-rings. We have only shown, however, that it is impossible to produce such a system if the total degree of the encryption polynomial determines the size of the public key. Perhaps, by properly choosing p 0 and p 1, we can employ the fundamental scheme to produce sparse encrypting polynomials. Then the public key could be kept small while the encrypting polynomial bas large total degree and is difficult to invert.

Cryptanalysis of the HFE public key cryptosystem by relinearization

Article

Jan 1999

Finite Fields Encyclopedia of Mathematics

Article

Computers And Intractability: A Guide to the Theory of NP-Completeness

Chapter

Jan 1979

Algebraic Methods for Constructing Asymmetric Cryptosystems.

Conference Paper

Jul 1985
Lect Notes Comput Sci

Without Abstract

Cryptanalysis of the Oil & Vinegar Signature Scheme.

Conference Paper

Aug 1998
Lect Notes Comput Sci

Several multivariate algebraic signature schemes had been proposed in recent years, but most of them had been broken by exploiting the fact that their secret trapdoors are low rank algebraic structures. One of the few remaining variants is Patarin's”Oil & Vinegar” scheme, which is based on a system of n quadratic forms in 2n variables of two flavors (n ”oil” variables and n ”vinegar” variables). The security of the scheme depends on the difficulty of distinguishing between the two types, and does not seem to be susceptible to known low rank attacks. In this paper we describe two novel algebraic attacks which can efficiently separate the oil and vinegar variables, and thus forge arbitrary signatures.

Asymmetric Cryptography with a Hidden Monomial

Conference Paper

Aug 1996
Lect Notes Comput Sci

Jacques Patarin

In [1] T. Matsumoto and H. Imai have presented a very efficient “candidate” algorithm, called C*, for asymmetric cryptography. This algorithm was broken in [2]. Then in [3], I have suggested two algorithms, HFE and IP, to repair C*. However the secret key computations of HFE and IP are not as efficient as in the original algorithm C*. Is it possible to repair C* with the same kind of very easy secret key computations? This question is the subject of this paper. Unfortunately, we will see that for all the “easy” transformations of C* the answer is no. However one of the new ideas of this paper will enable us to suggest a candidate algorithm for assymetric signatures of length only 64 bits. An extended version of this paper can be obtained from the author.

Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms.

Conference Paper

Jan 1996

Jacques Patarin

In [6] T. Matsumoto and H. Imai described a new asymmetric algorithm based on multivariate polynomials of degree two over a finite field, which was subsequently broken in [9]. Here we present two new families of Asymmetric Algorithms that so far have resisted all attacks, if properly used: Hidden Field Equations (HFE) and Isomorphism of Polynomials (IP). These algorithms can be seen as two candidate ways to repair the Matsumoto-Imai Algorithm. HFE can be used to do signatures, encryption or authentication in an asymmetric way, with very short signatures and short encryptions of short messages. IP can be used for signatures and for zero knowledge authenticatinn. An extended version of this paper can be obtained from the author. Another way to repair the Matsumoto-Imai Algorithm will be presented in [10].

Trapdoor one-way permutations and multivariate polynomials

Conference Paper

Nov 1997

This article is divided into three parts. The first part describes the known candidates of trapdoor one-way permutations. The second part presents a new algorithm, called D *. As we will see, this algorithm is not secure. However, in the third part, D * will be a useful tool to present our new candidate trapdoor one-way permutation, called D **. This candidate is based on properties of multivariate polynomials on finite fields, and has similar characteristics to T. Matsumoto and H. Imai's schemes. What makes trapdoor one-way permutations particularly interesting is the fact that they immediately provide ciphering, signature, and authentication asymmetric schemes. Our candidate performs excellently in secret key, and secret key computations can be implemented in low-cost smart-cards, i.e. without co-processors. An extended version of this paper can be obtained from the authors.

Computers and Intracdtability: A Guide to the Theory of NP-Completeness

Book

Jan 1979

Unbalanced Oil and Vinegar Signature Schemes

Abstract

Recommended publications

Almost-tight and versatile security analysis of measurement-device-independent quantum key distribut...

Unbalanced Oil and Vinegar Signature Schemes

An authentication-combined access control scheme using a one-way function

Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes